A payment system implemented on a mobile device authenticates transactions made via the mobile device. The mobile device generates a public-private key pair and receives an authenticating input from a user of the device. The public key is sent to a secure payment system, and the authenticating input is used to generate a symmetric key that encrypts the private key. After a transaction is initiated, the mobile device receives an authenticating input from the user. The symmetric key is generated from the authenticating input and the mobile device attempts to decrypt the private key from the encrypted private key using the symmetric key generated by the user's input. The decrypted key is used to sign a transaction authorization message which is sent to the secure payment system, along with payment information, which can verify the signed message via the public key. Additional techniques related to secure payments are also disclosed.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method, implemented on a mobile device, for authorizing a transaction with payment information, comprising: generating a random private-public key pair including an asymmetric private key and an asymmetric public key; providing to a secure payment system the asymmetric public key; receiving an authenticating input from a user; generating a random salt; generating a symmetric encryption key by applying a one-way hashing function to a combination of the authenticating input and the random salt; encrypting the asymmetric private key using the symmetric encryption key to produce an encrypted private key; storing, in a memory of the mobile device, the encrypted private key; deleting the asymmetric private key, the asymmetric public key, the authenticating input, and the symmetric encryption key from the memory of the mobile device; receiving a request to initiate a transaction and a subsequent authenticating input from the user; and responsive to receiving the request to initiate the transaction: retrieving the random salt; re-generating the symmetric encryption key by applying the one-way hashing function to a combination of the subsequent authenticating input and the random salt; decrypting the encrypted private key with the symmetric encryption key to obtain the asymmetric private key; generating a cryptographically signed message using the asymmetric private key, wherein the cryptographically signed message authorizes the transaction; and providing, to the secure payment system, the cryptographically signed message.
2. The method of claim 1 , wherein the authenticating input is or is generated from at least one of a PIN, a fingerprint, a facial recognition profile, an eye scan, an unlock pattern, and a password.
3. The method of claim 1 , further comprising: storing the random salt in the memory of the mobile device.
4. The method of claim 1 , further comprising storing the asymmetric private key via an encrypted storage system managed by an operating system.
5. The method of claim 1 , further comprising verifying the user using a verification scheme, the verification scheme including at least one of: receiving a call; sending a text message; receiving a text message; receiving a push notification and sending a response to the secure payment system; and requiring the user to input at least one of a social security number, a portion of a social security number, a bank account PIN, answers to one or more questions regarding a financial history of the user, an address of the user, and a name of the user, and sending the input to the secure payment system.
6. The method of claim 5 , wherein the verification scheme used to verify the user includes verifying an identifier, the identifier including at least one of the name of the user, the portion of the social security number, or a device ID, and wherein the secure payment system is further configured to issue a public key certificate which includes the identifier and the asymmetric public key.
7. The method of claim 1 , wherein the cryptographically signed message authorizing the transaction can only be generated using the asymmetric private key and further wherein the asymmetric private key is not provided to a device other than the mobile device.
8. The method of claim 1 , further comprising receiving a cryptographically signed receipt from the secure payment system, wherein the cryptographically signed receipt is signed by an asymmetric private key known only to the secure payment system.
9. The method of claim 1 , further comprising: receiving, from a vendor, a transaction id; providing, to the secure payment system, the transaction id; and receiving transaction details that correspond to the transaction id from the secure payment system, wherein the transaction details specify an amount of money for the transaction, wherein the transaction details are used to generate the cryptographically signed message.
10. The method of claim 9 , wherein receiving, from the vendor, the transaction id includes at least one of the following: scanning an image generated by the vendor to obtain the transaction id encoded in the image; receiving the transaction id through a near field communication system; receiving the transaction id via a manual input of the user; and responsive to a determination that the transaction is being initiated from an online store that the user is accessing from the mobile device, via a network, receiving the transaction id directly through the network.
11. The method of claim 10 , further comprising providing to the secure payment system a geographical location, wherein the secure payment system provides transaction details if and only if the geograpghical location is within a certain geographical area.
12. The method of claim 1 , further comprising: generating a second random private-public key pair including a second asymmetric private key and a second asymmetric public key; providing to the secure payment system the second asymmetric public key; and responsive to receiving transaction details wherein certain criteria are met: generating a second cryptographically signed message using the second asymmetric private key, wherein the second cryptographically signed message authorizes the transaction; and providing, to the secure payment system, the second cryptographically signed message.
13. The method of claim 12 , wherein the certain criteria is a requirement that a transaction amount be less than a threshold value.
14. A non-transitory computer-readable storage medium comprising executable computer program instructions executable by a processor to perform operations comprising: generating a random private-public key pair including an asymmetric private key and an asymmetric public key; providing to a secure payment system the asymmetric public key; receiving an authenticating input from a user; generating a random salt; generating a symmetric encryption key by applying a one-way hashing function to a combination of the authenticating input and the random salt; encrypting the asymmetric private key using the symmetric encryption key to produce an encrypted private key; storing, in a memory of a mobile device, the encrypted private key; deleting the asymmetric private key, the asymmetric public key, the authenticating input, and the symmetric encryption key from the memory of the mobile device; receiving a request to initiate a transaction and a subsequent authenticating input from the user; and responsive to receiving the request to initiate the transaction: retrieving the random salt; re-generating the symmetric encryption key by applying the one-way hashing function to a combination of the subsequent authenticating input and the random salt; decrypting the encrypted private key with the symmetric encryption key to obtain the asymmetric private key; generating a cryptographically signed message using the asymmetric private key, wherein the cryptographically signed message authorizes the transaction; and providing, to the secure payment system, the cryptographically signed message.
15. The non-transitory computer-readable storage medium of claim 14 , wherein the authenticating input is or is generated from at least one of a PIN, a fingerprint, a facial recognition profile, an eye scan, an unlock pattern, and a password.
16. The non-transitory computer-readable storage medium of claim 14 , wherein the operations further comprise: storing the random salt in the memory of the mobile device.
17. The non-transitory computer-readable storage medium of claim 14 , wherein the operations further comprise storing the asymmetric private key via an encrypted storage system managed by an operating system.
18. The non-transitory computer-readable storage medium of claim 14 , wherein the operations further comprise verifying the user using a verifiction scheme, the verification scheme including at least one of: receiving a call; sending a text message; receiving a text message; receiving a push notification and sending a response to the secure payment system; and requiring the user to input at least one of a social security number, a portion of a social security number, a bank account PIN, answers to one or more questions regarding a financial history of the user, an address of the user, and a name of the user, and sending the input to the secure payment system.
19. The non-transitory computer-readable storage medium of claim 18 , wherein the verification scheme used to verify the user includes verifying an identifier, the identifier including at least one of the name of the user, the portion of the social security number, or a device ID, and wherein the secure payment system is further configured to issue a public key certificate which includes the identifier and the asymmetric public key.
20. The non-transitory computer-readable storage medium of claim 14 , wherein the cryptographically signed message authorizing the transaction can only be generated using the asymmetric private key and further wherein the asymmetric private key is not provided to a device other than the mobile device.
21. The non-transitory computer-readable storage medium of claim 14 , wherein the operations further comprise receiving a cryptographically signed receipt from the secure payment system, wherein the cryptographically signed receipt is signed by an asymmetric private key known only to the secure payment system.
22. The non-transitory computer-readable storage medium of claim 14 , wherein the operations further comprise: receiving, from a vendor, a transaction id; providing, to the secure payment system, the transaction id; and receiving transaction details that correspond to the transaction id from the secure payment system, wherein the transaction details specify an amount of money for the transaction, wherein the transaction details are used to generate the cryptographically signed message.
23. The non-transitory computer-readable storage medium of claim 22 , wherein receiving, from the vendor, the transaction id includes at least one of the following: scanning an image generated by the vendor to obtain the transaction id encoded in the image; receiving the transaction id through a near field communication system; receiving the transaction id via a manual input of the user; and responsive to a determination that the transaction is being initiated from an online store that the user is accessing from the mobile device, via a network, receiving the transaction id directly through the network.
24. The non-transitory computer-readable storage medium of claim 23 , wherein the operations further comprise providing to the secure payment system a geographical location, wherein the secure payment system provides transaction details if and only if the geographical location is within a certain geographical area.
25. The non-transitory computer-readable storage medium of claim 14 , wherein the operations further comprise: generating a second random private-public key pair including a second asymmetric private key and a second asymmetric public key; providing to the secure payment system the second asymmetric public key; and responsive to receiving transaction details wherein certain criteria are met: generating a second cryptographically signed message using the second asymmetric private key, wherein the second cryptographically signed message authorizes the transaction; and providing, to the secure payment system, the second cryptographically signed message.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
April 23, 2015
December 8, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.